When creating cloud infrastructure, we almost always need to connect its elements to the Internet, but also to make them available to our employees or other users. At the same time, we want our servers and services to be secure and to avoid exorbitant costs. In the post below, we wanted to present some of the simplest options along with cost calculations for a small infrastructure. However, I would like to emphasize that the exact calculations will depend heavily on individual circumstances, and what may be the cheapest option, which also does not always mean the best, for the discussed case, may not scale linearly to a larger or smaller infrastructure.

As shown in the figure below, for the purposes of our article, we assumed that we have 4 servers that we would like to place in AWS. They are to be available only to the employees of our office, and additionally, these servers should have access to the Internet (if only to ensure access to software updates). We also assume that the infrastructure is not critical enough to require the distribution of servers across multiple Availability Zones, so we can assume that services can be located in a single subnet.

For the purpose of cost calculation, we assumed that our infrastructure will be located in the AWS us-central-1 region (Frankfurt) and we used the price lists valid as of October 20, 2023.

It’s also important to remember that AWS charges standard fees for outgoing cloud traffic at a rate of $0.09/GB. However, for our calculations, we assume that due to our small-scale infrastructure, we should not exceed 100GB of data sent to the Internet, for which AWS currently does not charge any fees.

The simplest option

The simplest implementation of the above assumptions may involve: 

• Creating a VPC with a public subnet 
• Creating EC2 virtual machines within this subnet 
• Assigning public IP addresses to all machines 
• Creating Security Groups to restrict access to these servers only from the IP address of our office 

To implement this scenario, essentially no paid AWS services are needed. It’s sufficient to activate an Internet Gateway, assign public IP addresses to our EC2 (virtual servers in AWS), and add the appropriate routing. Then our machines can be visible on the Internet and freely communicate with other services.

For a long time, AWS provided one public IP address per machine for free. The only fees required were for reserved IP addresses that were not assigned to an active machine or assigned to a turned-off EC2 instance ($0.005 per hour for the IP address reservation). However, starting from February 1, 2024, AWS introduces charges for all public IP addresses. Therefore, in our scenario, having 4 machines and 4 IP addresses, we will have to incur costs of about $14.60 monthly, or $175 annually.

Costs of the solution: 

Cost	Rate	Count	Month cost	Annual cost
Elastic IP*	$0.005/h	4	$14.60	$175
Total cost			$14.60	$175

Advantages: 

• Very simple implementation 
• Low costs 

Disadvantages: 

• Exposure of servers to the Internet with all associated risks 
• Risk of data transmission over the Internet in an unencrypted manner 

How to implement the same using AWS services

A major drawback of the previous scenario is that all servers are exposed to the Internet. Although access to them is limited by security groups, if any application or service running on the server is not secure (e.g., uses unencrypted connections), the data transmitted between our office and our servers could be compromised. We can protect against this by creating a secure connection between our office and AWS infrastructure, for example, using VPN services.

AWS offers the AWS VPN service, which provides two modes of operation: 

• AWS client VPN: This allows each employee to create their own secure (encrypted) tunnel to the cloud infrastructure directly from their computer. The advantage of this solution is that server access is possible from anywhere in the world, which facilitates employee mobility. 
• AWS site-to-site VPN: This service allows for a permanent, encrypted connection between our office network and the cloud network, which is completely transparent to employees. Access to servers in the cloud occurs as if they were in the local network. 

What about the costs?

• For AWS site-to-site VPN, we must pay $0.05 for each hour of tunnel operation, which translates to $36.50 monthly, or $438 annually. 
• For AWS client VPN, the situation is not as straightforward, as it depends on the number of employees connecting to the servers and the subnet to which our VPN is connected. In our case, we have one subnet. Each hour of linking our VPN to this subnet costs $0.10, which is $73 monthly ($876 annually). Additionally, each hour of VPN usage by a user costs $0.05. Assuming an average of 20 working days and 8 hours of work per day, and considering we have 20 employees who are constantly connecting to the servers they need for work, the cost of this type of solution is about $160 monthly or $1920 annually. 

Combining the fixed costs of our tunnel with the costs of employee connections, we reach a total of $2795 annually.

As evident from this calculation, the costs of individual VPN tunnels for each employee can be quite significant. A more economical option for the example considered is a site-to-site tunnel for daily work, possibly supplemented by individual tunnels for employees who need to work remotely.

If we also want better protection for our servers and not expose them to the Internet (not assigning them public IP addresses and moving them to a private network), it is necessary to add a NAT Gateway to our infrastructure. Without a NAT Gateway, our servers without public IP addresses will not be able to communicate with the Internet, which may limit, for example, their ability to update. NAT Gateway incurs two types of costs:

• Cost per hour of operation: $0.052 
• Cost per processed GB of data: $0.052 per GB 

This means that for the NAT Gateway, we must pay about $38 monthly ($456 annually) + the costs of data processed through it. If these are only data needed for server updates, it will likely be a few to several GB per month. However, if the servers on which users work, for example, are remote desktop servers with the ability to browse the Internet or if they run tools for data collection and web scraping, then the traffic through the NAT Gateway can be substantial and generate significant additional costs. It is also important to remember that the NAT Gateway itself requires an external IP address, which will also be billed by AWS ($3.65 monthly, $43.80 annually).

Costs of solutions – site-to-site VPN:

Cost	Rate	Count	Month cost	Annual cost
site-to-site tunnel	$0.05/h	1	$36.50	$438
NAT Gateway (h)	$0.05/h	1	$36.50	$438
NAT Gateway (GB)	$0.05/GB	50**	$2.50	$30
IP assigned to NAT Gateway*	$0.005/h	1	$3.65	$43.80
IP assigned to VPN Gateway*	$0.005/h	1	$3.65	$43.80
Total cost			$79.15	$993.60

Costs of the solution – individual tunnels for employees (AWS client VPN): 

Cost	Rate	Count	Month cost	Annual cost
Tunnel association with subnet	$0.10/h	1	$73	$876
Individual tunnels	$0.05/h	20 users 8 hours per day, 20 days per month	$160	$1920
NAT Gateway (h)	$0.05/h	1	$36.50	$438
NAT Gateway (GB)	$0.05/GB	50**	$2.50	$30
IP assigned to NAT Gateway*	$0.005/h	1	$3.65	$43.80
IP assigned to Client VPN Endpoint*	$0.005/h	1	$3.65	$43.80
Total cost			$279.30	$3351.60

Advantages 

• Using standard AWS services facilitates administration and maintenance of high availability of the solution. 
• Built-in scaling and monitoring mechanisms. 

Disadvantages 

• Significant costs of the solution for a small-scale infrastructure. 

How to do it more affordably

It’s important to remember that with managed services (like NAT Gateway, AWS VPN, etc.), we’re not just paying for the technical solution itself, but also for the fact that someone on the AWS side is taking care of the servers these services run on, guaranteeing their availability and reliability. This significantly simplifies our work, as we don’t have to worry about low-level configurations, managing updates, or the stability of the solution. However, if we have a knack for DIY solutions, we can look for savings by configuring services ourselves, especially since modern solutions are stable enough that, typically, once properly configured, they don’t cause many problems. One option we can utilize is creating an additional EC2 instance with dedicated software that functions as a router with NAT and VPN services for our network. A very good solution can be the use of Mikrotik solutions and their Cloud Hosted Router. For the operation of this router, machines from the t3a.nano family are sufficient. The cost of such an instance is $0.005 per hour, which is $3.65 monthly ($43.80 annually) at on-demand prices (we pay for each hour of use and can cancel at any time). Additionally, there’s the cost of the Mikrotik software license – in the basic version (CHR P1), it’s about $45 for a perpetual license allowing for a transfer rate up to 1Gb/s, which for a small infrastructure is more than sufficient. Larger licenses cost around $95 (CHR P10 – supports throughput up to 10Gb/s) or $250 (CHR PU) with unlimited speed.

Using Mikrotik Cloud Hosted Router, one can simultaneously perform the functions of a NAT Gateway, site-to-site VPN, and client VPN, incurring the costs of a single, small virtual machine.

Costs of the solution

Cost	Rate	Count	Month cost	Annual cost
t3a.nano EC2	$0.005/h	1	$3.65	$43.80
Elastic IP*	$0.005/h	1	$3.65	$43.80
Total cost			$7.30**	$87.60**

Advantages: 

• Very low maintenance costs for the solution 
• Great flexibility and the ability to expand the solution with additional services without incurring extra costs (e.g., multiple site-to-site tunnels) 

Disadvantages: 

• The need for self-configuration of the router and subsequent maintenance 
• Limited integration capabilities with other AWS tools 
• Difficult to achieve a similar level of availability as with AWS services